Techniques and systems for data segregation in redundancy coded data storage systems

ABSTRACT

A computer system, such as a data storage system, implements techniques for segregating and controlling access to data stored in multiple regions. In some embodiments, redundancy coded shards generated from the data and stored in durable storage of a data storage system is allocated across multiple regions, but in a fashion that prevents actors with access to regions outside that of a “home” region from recovering a sufficient number of unique shards to regenerate the data represented thereby. In some embodiments, encryption is used to segregate the data by encrypting the generated shards, then storing the cryptographic information on or otherwise controlling access on hosts or other devices of only the home region.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application incorporates by reference for all purposes the full disclosure of co-pending U.S. patent application Ser. No. 14/741,409, filed Jun. 16, 2015, entitled “ADAPTIVE DATA LOSS MITIGATION FOR REDUNDANCY CODING SYSTEMS,” U.S. patent application Ser. No. 14/789,778, filed Jul. 1, 2015, entitled “INCREMENTAL MEDIA SIZE EXTENSION FOR GRID ENCODED DATA STORAGE SYSTEMS,” U.S. patent application Ser. No. 14/789,783, filed Jul. 1, 2015, entitled “GRID ENCODED DATA STORAGE SYSTEMS FOR EFFICIENT DATA REPAIR,” U.S. patent application Ser. No. 14/789,789, filed Jul. 1, 2015, entitled “CROSS-DATACENTER EXTENSION OF GRID ENCODED DATA STORAGE SYSTEMS,” U.S. patent application Ser. No. 14/789,799, filed Jul. 1, 2015, entitled “CROSS-DATACENTER VALIDATION OF GRID ENCODED DATA STORAGE SYSTEMS,” U.S. patent application Ser. No. 14/789,810, filed Jul. 1, 2015, entitled “INCREMENTAL UPDATES OF GRID ENCODED DATA STORAGE SYSTEMS,” U.S. patent application Ser. No. 14/789,815, filed Jul. 1, 2015, entitled “NON-PARITY IN GRID ENCODED DATA STORAGE SYSTEMS,” U.S. patent application Ser. No. 14/789,825, filed Jul. 1, 2015, entitled “REBUNDLING GRID ENCODED DATA STORAGE SYSTEMS,” U.S. patent application Ser. No. 14/860,706, filed Sep. 21, 2015, entitled “EXPLOITING VARIABLE MEDIA SIZE IN GRID ENCODED DATA STORAGE SYSTEMS,” U.S. patent application Ser. No. 14/789,837, filed Jul. 1, 2015, entitled “DETERMINING DATA REDUNDANCY IN GRID ENCODED DATA STORAGE SYSTEMS,” U.S. patent application Ser. No. 14/869,887, filed Sep. 29, 2015, entitled “TECHNIQUES AND SYSTEMS FOR DATA SEGREGATION IN DATA STORAGE SYSTEMS,” U.S. patent application Ser. No. 14/973,712, filed concurrently herewith, entitled “TECHNIQUES FOR COMBINING GRID-ENCODED DATA STORAGE SYSTEMS,” and U.S. patent application Ser. No. 14/973,708, filed concurrently herewith, entitled “TECHNIQUES FOR EXTENDING GRIDS IN DATA STORAGE SYSTEMS.”

BACKGROUND

Modern computer systems make extensive use of network computing and network data storage systems. Such use has proliferated in recent years, particularly in distributed or virtualized computer systems where multiple computer systems may share resources when performing operations and tasks associated with the computer systems. Such computer systems frequently utilize distributed data storage in multiple locations to store shared data items so that such data items may be made available to a plurality of consumers. The resources for network computing and network data storage are often provided by computing resource providers who leverage large-scale networks of computers, servers, and storage drives to enable customers to host and execute a variety of applications and web services. The usage of network computing and network data storage allows customers to efficiently and to adaptively satisfy their varying computing needs, whereby the computing and data storage resources that may be required by the customers are added or removed from a large pool provided by a computing resource provider as needed.

The proliferation of network computing and network data storage, as well as the attendant increase in the number of entities dependent on network computing and network data storage, have increased the importance of controlling access to data stored and manipulated thereon. As systems scale to meet demand, they tend to become more widely distributed, and controlling the distribution of data so as to prevent unwanted or unauthorized parties from accessing such data becomes more complex.

BRIEF DESCRIPTION OF THE DRAWINGS

Various techniques will be described with reference to the drawings, in which:

FIG. 1 illustrates an example environment in which bundle-encoded, redundancy encoded data is distributed such that the data availability is geographically controlled, in accordance with some embodiments;

FIG. 2 illustrates an example environment in which a computing resource service provider implements a key management service and geographical diversity to control access to data stored and transacted therewith, in accordance with some embodiments;

FIG. 3 illustrates an example environment in which erasure encoded, redundancy encoded data is distributed in a distributed data storage system so as to geographically control data access, in accordance with some embodiments;

FIG. 4 illustrates an example environment in which cryptographic information is located so as to control access to durably stored data in specific regions, in accordance with some embodiments;

FIG. 5 illustrates an example environment in which bundle- or grid-encoded data is stored and processed so as to control access thereto, in accordance with some embodiments;

FIG. 6 illustrates an example process for geographically distributing shards so as to control access to data associated therewith in a distributed data storage system, in accordance with some embodiments;

FIG. 7 illustrates an example process for controlling geographic location and access to cryptographic information so as to control access to data stored on a distributed data storage system, in accordance with some embodiments;

FIG. 8 illustrates an example process for the use of shared secrets, such as by use of Shamir's Secret Sharing, to control access to data stored on a distributed data storage system, in accordance with some embodiments;

FIG. 9 illustrates an example process for reconstructing or otherwise generating data in access-controlled data storage systems using partial sums and partial sum reconstruction in accordance with some embodiments;

FIG. 10 illustrates an example environment where a redundancy encoding technique is applied to data stored in durable storage in accordance with at least one embodiment;

FIG. 11 illustrates an example environment where a redundancy encoding technique is applied to data stored in durable storage in accordance with at least one embodiment;

FIG. 12 illustrates an example process for applying redundancy encoding techniques to data stored in durable storage in accordance with at least one embodiment; and

FIG. 13 illustrates an environment in which various embodiments can be implemented.

DETAILED DESCRIPTION

In one example, a data storage system including durable storage that is distributed across multiple geographic regions (locales) implements various techniques for preventing unauthorized, hostile, or otherwise unwanted entities from accessing data stored thereon. For example, data may be redundancy coded in a variety of ways, as described in detail throughout this disclosure, and a set of shards may be generated therefrom. In some embodiments, the data is redundancy coded such that a predetermined minimum (quorum) quantity of shards in the set of the shards is usable to generate the original data. In such embodiments, volumes of durable storage that are outside of the “home” region for the data represented may only be allocated a quantity of unique shards from the set that is less than the predetermined minimum (quorum) quantity. Accordingly, data sovereignty, i.e., the ability to logically localize the storage of data to a given geographic, administrative, regulatory, or other arbitrarily defined region, may be retained even if such data is stored across multiple regions.

In another example, data is redundancy coded so as to generate bundle-encoded shards, also as described herein, where some of the resultant shard set includes identity shards that contain original data (e.g., the data, such as may be received from a customer or related entity, prior to redundancy coding and/or encryption). So as to prevent actors not associated with the home region from accessing the original data, the identity shards may be stored only on within volumes of durable storage within the home region, while the other regions may only be allocated derived shards (and, as in the previous example, only in a quantity less than that of the predetermined quorum quantity).

In another example, data may be encrypted, in connection with the redundancy encoding process, and data access from outside the home region may be controlled by only storing the cryptographic information (e.g., decryption/encryption keys) used to encrypt (and decrypt) the data and/or shards within the home region, and only allow access thereto by entities associated with the home region (e.g., the owner of the data, the portion of durable storage resident within the home region, etc.). As may be contemplated, multiple aspects of each of these examples, as well as others provided throughout this disclosure, may be also be implemented together in a given implementation, so as to improve the security of the data being stored.

In another example, various encryption and redundancy coding techniques are combined so as to improve security, storage efficiency, retain data sovereignty, and the like. For example, bundle- or grid-encoded shards representing data may be encrypted, in whole or in part, in connection with or prior to allocation. The encryption algorithm may generate a sharded encryption key, such as a shared secret, that is distributed amongst storage devices and/or volumes within the home region (and in some cases in connection with storage of data (identity) shards within the home region). In some embodiments, only the data shards are encrypted. In other embodiments, only the derived shards are encrypted. In yet other embodiments, both data shards and derived shards are encrypted (and in some of such embodiments, less than all of the shards are encrypted). The encryption may take place within the home region.

Partial sum techniques, such as partial sum reconstruction verification techniques, may be used to generate and/or regenerate shards within any of the regions. The partial sum data used during generation and/or regeneration may be transferred between regions so as to allow for various implementations (e.g., differences in which regions the actual action or completion of generation and/or regeneration takes place).

In the following description, various techniques will be described. For purposes of explanation, specific configurations and details are set forth in order to provide a thorough understanding of possible ways of implementing the techniques. However, it will also be apparent that the techniques described below may be practiced in different configurations without the specific details. Furthermore, well-known features may be omitted or simplified to avoid obscuring the techniques being described.

FIG. 1 illustrates an example environment in which bundle-encoded, redundancy encoded data is distributed such that the data availability is geographically controlled, in accordance with some embodiments.

A customer device or other entity connects with a data storage service 104, so as to transact sets of data 104 to be stored on volumes 106 durable storage associated with the data storage service 104. As may be contemplated, the client device, or some other actor (such as that of the computing resource service provider), may also request or otherwise implement the segregation or protection of one or more sets of data so stored. In such embodiments, the data storage service may distribute the data, in some cases after processing the data using one or more redundancy codes (as described further detail below), across multiple volumes in two or more regions. In the example illustrated in FIG. 1, a vertical dashed line differentiates volumes 106 located in a first region (on the left) and volumes 106 located in a second region (on the right).

The customer device may be any computing resource or collection of such resources enabling the customer to interface with the data storage system, such as in a programmatic fashion (e.g., via web service call or application programming interface call), and transact data therewith. Examples include physical computing systems (e.g., servers, desktop computers, laptop computers, thin clients, and handheld devices such as smartphones and tablets), virtual computing systems (e.g., as may be provided by the computing resource service provider using one or more resources associated therewith), hardware or software-based storage devices (such as hard drives, optical drives, solid state devices, virtual storage devices such as provided by the computing resource service provider, and the like), services (e.g., such as those accessible via application programming interface calls, web service calls, or other programmatic methods), and the like.

The network may be a communication network, such as the Internet, an intranet or an Internet service provider (ISP) network. Some communications from the customer device to the data storage system may cause the data storage system to operate in accordance with one or more embodiments described or a variation thereof. The front end through which the data storage service 104, as well as other services as further described herein, operates, may be any entity capable of interfacing via a network with a customer device, as well as various other components of a data storage system, so as to coordinate and/or direct data and requests to the appropriate entities. Examples include physical computing systems (e.g., servers, desktop computers, laptop computers, thin clients, and handheld devices such as smartphones and tablets), virtual computing systems (e.g., as may be provided by the computing resource service provider using one or more resources associated therewith), hardware or software-based storage devices (such as hard drives, optical drives, solid state devices, virtual storage devices such as provided by the computing resource service provider, and the like), services (e.g., such as those accessible via application programming interface calls, web service calls, or other programmatic methods), and the like.

The set of data 102 may be produced by a program, process, application, module, service, or system associated with a computing resource service provider as described herein. The set of data may also be produced by a user or customer of the computing resource service provider, and submitted to the computing resource service provider via a customer device and transmitted via a network. The set of data may include volatile data, which may be added to, changed, and/or deleted from in response to, for example, one or more requests (e.g., application programming interface requests or “API requests”) made by the user or customer of the computer system. The set of data may also include non-volatile data (also referred to herein as “static data”), which may be at least partially unchanging as the one or more requests are received.

The data stored across the durable storage volumes 106 may have an associated durability that may be based on, for example, an annual failure rate (“AFR”) of the data storage volume or the mapped data storage volume. For a given AFR, it may be assumed that the daily failure rate (“DFR”) for the data storage volume or the mapped data storage volume is the AFR divided by three-hundred and sixty-five (i.e., the number of days in a year) and the hourly failure rate (“HFR”) of the data storage volume or the mapped data storage volume is the DFR divided by twenty-four (i.e., the number of hours in a day). For example, if a data storage volume or the mapped data storage volume has an AFR of 2 percent, the data storage volume or the mapped data storage volume has a DFR of 0.0055 percent and an HFR of 0.00023 percent.

When the data is migrated or otherwise stored on the data storage service 114, the data storage service 114 may store the data using one or more redundancy encoding techniques such as those described herein. For example, the data storage service 114 may encode the data by producing one or more data shards 108, 110 and may store the one or more data shards on one or more volumes of a set of volumes 106 of durable storage configured to store the redundancy encoded data as described herein. Depending on the redundancy encoding technique used by the data storage service 114, some or all of the shards stored may consist entirely of original data (identity shards) or derived data (derived shards). In some embodiments, the shards may be apportioned on a one-to-one basis to the volumes 116 of the durable storage. Accordingly, in such embodiments, some volumes may include directly readable, original data (identity shards), while others contain only derived data (derived shards). In the illustrated example, identity shards 108 are stored in the first region and derived shards 110 are stored in the second region.

If, for example, the illustrated set of shards 108, 110 has a minimum quorum quantity of three shards out of the five illustrated, any three of the set of shards—regardless of whether the shard is an identity shard 108 or a derived shard 110, may be processed using the redundancy code so as to regenerate the original data 102. Additionally, the original data 102 may be regenerated by directly reading the identity shards 108, such as by an allowed entity 114 (e.g., an entity that is within the home region). As may be contemplated, if storage of the identity shards 108 is limited to the home (first) region, entities such as allowed entity 114 within the first region will have normally controlled access—such as through the data storage service 104—or, in the event where direct reading of the data by other measures is necessary, such as if the data storage service 104 is unavailable and the data represented by the shard set requires recovery, there are no geographically-placed limitations for an allowed entity 114 to read such data from the identity shards 108.

However, a prohibited entity 116, in the second (non-home) region may, by virtue of only having access (whether direct, legitimate, indirect, or surreptitious) to a limited number of shards 110, that limited number being less than the minimum quorum quantity described. As a result, even if the prohibited entity 116 has unrestricted access to the shards 110 in the second region, the prohibited entity 116 cannot reconstruct data 102 and, even if the prohibited entity 116 attempts to do so, only unreadable, pseudorandom information 112 may result.

The “home” region (the first region, to the left as illustrated in FIG. 1) may be considered as such by virtue of either direction (such as by request) of a customer of the data storage service and/or the computing resource service provider, implied from the geographic origination of the data and/or the customer providing the data, assigned by internal determination of the data storage service 104 for, e.g., reasons of routing, latency, throughput, or efficiency, or any other reason. In one embodiment, the home region may be designated by the customer as part of a data storage request submitted by the customer for storing the data 102 via the data storage service 104 on durable storage volumes 106.

The second region (to the right, as illustrated in FIG. 2) may be one or possible multiple regions outside of the home region. Regions may be specified for any predefined or arbitrary region, and may coincide with political boundaries such as national boundaries, economic boundaries, and the like. In some embodiments, the regions are arbitrarily drawn for reasons other than geography, such as for system efficiency or cost reasons.

Allowed and prohibited entities 114, 116 may be any entities capable of reading, intercepting, being provided with, or directing the retrieval of the data 102 or the shards 108, 110. Examples include customers of the data storage service 104, administrators thereof, arbitrary, non-customer computing devices or persons seeking access to the data (for either legitimate or illegitimate purposes), computing devices or processes (such as bots, scrapers, viruses, and other malware) intended to access data, and the like. The techniques described add an additional layer of control and/or protection to the data stored within data storage systems by virtue of geographic distribution, and in some embodiments, the entities are considered “allowed” and “prohibited” with respect to their geographic location, and not necessarily as a result of their legitimate (or malicious) intent.

It should be noted that, as used herein, the durability of data and/or data storage may be separate from the redundancy of the data in the data storage. For example, data stored in preliminary storage 112 may be highly durable (i.e., have a very low failure rate) but may not be redundant if, for example, it is stored as a single copy. Conversely, data stored using one or more redundancy encoding techniques such as those described herein and while such data may be less durably stored (i.e., may have fewer “9's” of durability), it may be highly redundant. For example, data stored in a grid may have no fewer than four separate copies of the data (one of the data shard, one from the horizontally-derived shards, one from the vertically-derived shards, and one from the remaining shards). If the grid is geographically distributed into, for example, multiple datacenters in multiple regions, the data may have greater redundancy due to the added tolerance for loss of a complete datacenter. The techniques disclosed herein improve control over data access, such as by geographic segregation of stored shards, for data distributed in this fashion.

As may be contemplated, in embodiments where the redundancy code utilized generates or is capable of generating more shards than used in the shard set 108, 110 associated with the data 102, when shards are replaced (such as to repair unavailable shards due to corruption, power outages, and the like), other shards than those initially stored for the data may replace the initial shards. For shards stored in the second region (e.g., outside of the home region), a storage history tracker 118 may be implemented to track and, in some embodiments, limit the number of unique shards stored therein so as to prevent, for example, a prohibited entity 116 from gathering a sufficient quantity of unique shards 110 over time to recreate the data. The storage history tracker 118 may track the type, quantity, and identity of the unique shards stored in the second region, such as in a database table or other suitable structure, for the lifetime of the data 102 as represented in the durable storage. As illustrated, in some embodiments, the storage history tracker 118 is an entity within the home region, and is configured so as to be a “gatekeeper” for stored data flowing in and out of the various entities of the home region.

For example, the storage history tracker 118 may, either directly or by other entities of the data storage service 104, cause shard replacement processes in regions outside of the home region to be constrained to a specified range of unique shards (if, for example, they are uniquely identified and/or indexed when they are generated by the redundancy code). As another example, the storage history tracker may simply passively track the unique shards stored in the durable storage volumes 106 and send a notification to another entity responsible for storing the shards to only use and regenerate the unique shards stored in the second region up to that point, and not to use any additional unique shards to replace them. As yet another example, the storage history tracker 118 may actively block storage of additional unique shards if it detects that, based on its retained history, the number of unique shards stored is approaching (but still less than) the minimum quorum quantity of the redundancy code used.

The storage history tracker 118 may be any computing resource or collection of such resources capable of interacting with other components of the computing resource service provider (such as the durable storage volumes 106 and the data storage service 104), so as to orchestrate and execute the shard history tracking and/or the shard storage limiting processes as implemented. Examples include physical computing systems (e.g., servers, desktop computers, laptop computers, thin clients, and handheld devices such as smartphones and tablets), virtual computing systems (e.g., as may be provided by the computing resource service provider using one or more resources associated therewith), services (e.g., via application programming interface calls, web service calls, or other programmatic methods), databases (which may be implemented on one or more of the foregoing examples), and the like. The storage history tracker 118 may additionally include a data store, such as one or more storage devices or services, that is capable of storing and providing information related to its operations.

FIG. 2 illustrates an example environment in which a computing resource service provider implements a key management service and geographical diversity to control access to data stored and transacted therewith, in accordance with some embodiments.

A customer, via a customer device 202, may connect via a network 204 to one or more services 206 provided by a computing resource service provider 218. In some embodiments, the computing resource service provider 218 may provide a distributed, virtualized and/or datacenter environment within which one or more applications, processes, services, virtual machines, and/or other such computer system entities may be executed. In some embodiments, the customer may be a person, or may be a process running on one or more remote computer systems, or may be some other computer system entity, user, or process. The customer device 202 and the network 204 may be similar to that described in connection with at least FIG. 1 above.

The command or commands to connect to the computer system instance may originate from an outside computer system and/or server, or may originate from an entity, user, or process on a remote network location, or may originate from an entity, user, or process within the computing resource service provider, or may originate from a user of the customer device 202, or may originate as a result of an automatic process or may originate as a result of a combination of these and/or other such origin entities. In some embodiments, the command or commands to initiate the connection to the computing resource service provider 218 may be sent to the services 206, without the intervention of the user of the services 206. The command or commands to initiate the connection to the services 206 may originate from the same origin as the command or commands to connect to the computing resource service provider 218 or may originate from another computer system and/or server, or may originate from a different entity, user, or process on the same or a different remote network location, or may originate from a different entity, user, or process within the computing resource service provider, or may originate from a different user of the customer device 202, or may originate as a result of a combination of these and/or other such same and/or different entities.

The customer device 202 may request connection to the computing resource service provider 218 via one or more connections and, in some embodiments, via one or more networks 204 and/or entities associated therewith, such as servers connected to the network, either directly or indirectly. The customer device 202 that requests access to the services 206 may, as previously discussed, include any device that is capable of connecting with a computer system via a network, including at least servers, laptops, mobile devices such as smartphones or tablets, other smart devices such as smart watches, smart televisions, set-top boxes, video game consoles and other such network-enabled smart devices, distributed computer systems and components thereof, abstracted components such as guest computer systems or virtual machines and/or other types of computing devices and/or components. The network 204, also as previously discussed, may include, for example, a local network, an internal network, a public network such as the Internet, or other networks such as those listed or described herein. The network may also operate in accordance with various protocols such as those listed or described herein.

The computing resource service provider 218 may provide access to one or more host machines as well as provide access to services such as virtual machine (VM) instances, automatic scaling groups, or file-based database storage systems as may be operating thereon. The services 206 may connect to or otherwise be associated with one or more storage services such as those described herein (e.g., the data storage service 214). The storage services may be configured to provide data storage for the services 206. In an embodiment, the computing resource service provider 218 may provide direct access to the one or more storage services for use by users and/or customers of the computing resource service provider. The storage services may manage storage of data on one or more block storage devices and/or may manage storage of data on one or more archival storage devices such as, for example, magnetic tapes.

For example, the computing resource service provider 218 may provide a variety of services 206 to the customer device 202, which may in turn communicate with the computing resource service provider 218 via an interface, which may be a web service interface, application programming interface (API), user interface, or any other type of interface. The services 206 provided by the computing resource service provider 218 may include, but may not be limited to, a virtual computer system service, a block-level data storage service, a cryptography service, an on-demand data storage service, a notification service, an authentication service, a policy management service, an archival storage service, a durable data storage service such as the data storage service 214, and/or other such services. Each of the services 206 provided by the computing resource service provider 218 may include one or more web service interfaces that enable the customer device 202 to submit appropriately configured API calls to the various services through web service requests. In addition, each of the services may include one or more service interfaces that enable the services to access each other (e.g., to enable a virtual computer system of the virtual computer system service to store data in or retrieve data from the on-demand data storage service or the data storage service 214, and/or to access one or more block-level data storage devices provided by the block-level data storage service).

The block-level data storage service may comprise one or more computing resources that collectively operate to store data for a user using block-level storage devices (and/or virtualizations thereof). The block-level storage devices of the block-level data storage service may, for example, be operationally attached to virtual computer systems provided by a virtual computer system service to serve as logical units (e.g., virtual drives) for the computer systems. A block-level storage device may enable the persistent storage of data used or generated by a corresponding virtual computer system where the virtual computer system service may be configured to only provide ephemeral data storage.

The computing resource service provider 218 may also include an on-demand data storage service. The on-demand data storage service may be a collection of computing resources configured to synchronously process requests to store and/or access data. The on-demand data storage service may operate using computing resources (e.g., databases) that enable the on-demand data storage service to locate and retrieve data quickly, to allow data to be provided in response to requests for the data. For example, the on-demand data storage service may maintain stored data in a manner such that, when a request for a data object is retrieved, the data object can be provided (or streaming of the data object can be initiated) in a response to the request. As noted, data stored in the on-demand data storage service may be organized into data objects. The data objects may have arbitrary sizes except, perhaps, for certain constraints on size. Thus, the on-demand data storage service may store numerous data objects of varying sizes. The on-demand data storage service may operate as a key value store that associates data objects with identifiers of the data objects that may be used by the user to retrieve or perform other operations in connection with the data objects stored by the on-demand data storage service.

Note that, unless otherwise specified, use of expressions regarding executable instructions (also referred to as code, applications, agents, etc.) performing operations that instructions do not ordinarily perform unaided (e.g., transmission of data, calculations, etc.) in the context of describing disclosed embodiments denote that the instructions are being executed by a machine, thereby causing the machine to perform the specified operations.

The services 206 may produce data, such as data received from the customer device 202, that may be stored 222 in the preliminary storage 212 as described above. In some embodiments, as previously mentioned, the data stored in the preliminary storage may be stored in unaltered form, such as in an identity shard. While the data is stored in the preliminary storage 212, the data 222 may be accessed by the services 206 (e.g., as a result of one or more API requests by the customer device 202) from the preliminary storage 212. After a determined period 220, such as described above in connection with FIG. 1, has passed and the data is migrated to a data storage service 214 provided by the computing resource service provider 218, the data may be accessed using the data storage service 214. In an embodiment where the data may be stored using redundancy encoding technique such as those described herein, the data storage service 214 may retrieve the data from any of the data volumes 216 and/or may reconstruct the data using the redundancy encoding techniques. The data volumes 216 may be magnetic tape, may be optical disks, or may be some other such storage media. As previously discussed and as further discussed herein, the data may be stored in identity shards that correspond individually to volumes, and may also be processed (using the redundancy encoding techniques) so as to create derived shards.

The data storage service 214 may store the data 222 in the preliminary storage 212 or may transmit a command that causes a different service (e.g., a block storage service or some other storage service such as those described herein) to store the data 222 in the preliminary storage 212. The data storage service 214 may also cause the data to be migrated from the preliminary storage 212 or may transmit a command that causes a different service to cause the data to be migrated from the preliminary storage 212. The data storage service 214 may also transmit a command or commands to cause a different service to perform other operations associated with making data objects eventually durable including, but not limited to, storing the data objects in the data shards, calculating derived shards, updating bundles, updating grids (i.e., updating horizontal, vertical, and other bundles of multiply bundled data), and/or other such operations.

In an embodiment, the preliminary storage 212 is a data storage volume such as, for example, a magnetic disk drive (e.g., a spinning disk drive or a solid state disk drive), computer system memory, magnetic tape, or some other optical storage device. In another embodiment, the preliminary storage 212 is a virtual and/or shared data storage volume that is mapped to a physical storage volume such as, for example, a disk drive, a solid state disk drive, computer system memory, magnetic tape, or some other optical storage device. As may be contemplated, the types of data storage volumes used for the preliminary storage 212 described herein are illustrative examples and other types of data storage volumes used for the preliminary storage 106 may be considered as within the scope of the present disclosure.

In an embodiment, the preliminary storage 212 is a plurality of storage devices that are used to redundantly store the data using techniques such as, for example, bundle encoding, grid encoding, or replicated storage. For example, the preliminary storage 212 may store the data by distributing the data to a plurality of data shards (e.g., putting a first portion of the data in a first data shard and a second portion of the data in a second data shard) and generating one or more derived shards based on those data shards. In another embodiment, the preliminary storage 112 is one or more storage devices that store redundant copies of the data as received. In yet another embodiment, the preliminary storage uses a combination of the storage techniques described herein by, for example, storing a single copy of the data for a first time period (e.g., thirty minutes), storing multiple copies of the data for a second time period (e.g., one day), using redundant storage techniques such as grid or bundle encoding to store the data for a third time period (e.g., thirty days), and then moving the data to more durable storage 216 using the data storage service 214 as described herein.

The set of data may be stored in the preliminary storage 212 in an unaltered form (e.g., not processed, compressed, indexed, or altered prior to storage). The set of data may also be stored in the preliminary storage 212 as, for example, original data (also referred to herein as an “identity shard”) such as the original data shards described herein. In an embodiment, the set of data stored in the preliminary storage 212 is stored without indexing and without any redundancy encoding. In another embodiment, the set of data stored in the preliminary storage 212 is stored with null redundancy encoding (i.e., a redundancy encoding that maps the data to itself). The data in preliminary storage may be stored as raw data, or may be bundle-encoded, or may be grid-encoded, or may be stored using some other method.

In an embodiment, data can be migrated from preliminary storage to the data storage service 212 as a result of an event such as, for example, a request by a customer to store the data in the data storage service 214. Other events may also be used to cause the migration of the data from preliminary storage 212 to the data storage service 214 such as, for example, events generated by a process, module, service, or application associated with the customer or associated with a computing resource service provider. In an illustrative example, a block storage service may maintain data storage in preliminary storage for a running virtual machine instance and, upon termination of the instance, may generate an event to migrate some or all of the data from preliminary storage to durable storage. The triggering event that causes the migration of data from preliminary storage may also be combined with an elapsed time as described above so that, for example, data may be stored in preliminary storage until an event occurs, but the data may also be migrated from preliminary storage if no event occurs prior to the elapsed time. As may be contemplated, the criteria for initiating the migration from preliminary storage described herein are illustrative examples and other such criteria for initiating the migration from preliminary storage may be considered as within the scope of the present disclosure.

As used herein, the durability of a data object may be understood to be an estimate of the probability that the data object will not unintentionally become permanently irretrievable (also referred to herein as “unavailable”). This durability is an estimated probability and is generally expressed as a percentage (e.g., 99.9999 percent). This durability is based on assumptions of probabilities of certain failures (e.g., the AFR of drives used to store the data) and may be based on an average failure rate, a maximum failure rate, a minimum failure rate, a mean failure rate, or some other such failure rate. The durability may be based on a statistical average of the failure over a collection of drives when there are many different drives and/or when there are many different types of drives. The durability may also be based on historical measurements of the failure of drives and/or statistical sampling of the historical measurements of the failure of drives. The durability may also be correlated with the probability that a data object will not unintentionally become unavailable such as, for example, basing the durability on the probability that a data object will unintentionally become unavailable. As may be contemplated, the methods of determining durability of data described herein are merely illustrative examples and other such methods of determining durability of data may be considered as within the scope of the present disclosure.

In an embodiment, a separate service can be configured to monitor the elapsed time associated with the data objects in preliminary storage 212 and, based on a desired durability, cause the data storage service 214 to cause the data to be migrated from the preliminary storage 212 to the durable storage by, for example, transmitting a message to the data storage service. This separate service may operate asynchronously to enforce time limits for all such data stored in preliminary storage.

As previously discussed in connection with at least FIG. 1, a data storage service 214 may interact with a storage history tracker 210 so as to track and limit the shards stored in non-home regions (as denoted in FIG. 2 as the portion of the durable storage 216 to the right of the vertical dashed line), in embodiments where the durable storage 216 is distributed across multiple regions. Additionally, in some embodiments, a key management service 208 may be implemented by the computing resource service provider 218, and the data storage service 214 may interact with the key management service 208 so as to obtain, process, encrypt, and decrypt data and/or cryptographic information (such as cryptographic keys and cryptographic wrappers) for further processing data stored thereon, such as part of or in connection with processing the data 222 for storage on the durable storage 216 (e.g., via a redundancy code).

The key management service 208 may provide cryptographic information, such as encryption keys, for data encryption and decryption. In some embodiments, the key management service 208 encrypts the data directly—that is, the key management service 208 receives the data to be encrypted, encrypts the data, and passes back the encrypted data to the requestor. In other embodiments, the key management service 208 enables other entities to encrypt the data by processing encrypted keys (as in, the encrypted keys themselves being encrypted). In such embodiments, an entity, such as a data storage service, passes an encrypted encryption key or other encrypted cryptographic information, along with a key identifier associated with a decryption key stored or otherwise held by the key management service, to the key management service 208 so as to receive a plain text version of the decryption key. The key management service 208 receives the encrypted encryption key, and, using the key identifier, decrypts the encrypted encryption key and provides it back to the requestor so that the requestor (or associated entity) can perform the decryption operation directly on the data.

FIG. 3 illustrates an example environment in which erasure encoded, redundancy encoded data is distributed in a distributed data storage system so as to geographically control data access, in accordance with some embodiments. The data 302 is submitted, such as by a customer device, to a data storage service 304, so as to be stored in volumes of durable storage 306. The data 302, data storage service 304, and volumes 306 are, in some embodiments, as described in connection with FIGS. 1 and 2 above.

In the illustrated embodiment, the data storage service 304 processes the incoming data 302 so as to generate only derived shards 308, a minimum quorum quantity of which may be used to recreate the data 302. As described in connection with FIG. 1 above, a storage history tracker 318 may be implemented so as to track and limit the unique shards stored in the second region (as illustrated, to the right of the dashed vertical line). It is contemplated that, in some embodiments, the storage history tracker 318 is implemented in multiple regions, including the home (first) region, as a given home region for one set of data may be a non-home region for other sets of data stored thereon. As such, a given storage history tracker 318 may track the identity and/or quantity of unique shards (such as derived shards) stored in any combination of regions so as to allow allowed entities 314 access to data 302 within the home region for that data 302, and disallow prohibited entities 316 from doing so (e.g., resulting in unusable data 312), in a fashion similar to that described above in connection with FIGS. 1 and 2.

FIG. 4 illustrates an example environment in which cryptographic information is located so as to control access to durably stored data in specific regions, in accordance with some embodiments. A set of data 402, such as that submitted by a customer device, is received and processed by a data storage service 404 for storage on durable storage volumes 406 associated with the data storage service 404, in a fashion similar to that described in connection with FIGS. 1 and 2 above, as well as elsewhere herein. In some embodiments, the data is stored as a set of identity shards 408. However, it is contemplated that the techniques described herein, and particularly in connection with FIG. 4, may be used in connection in other embodiments that process and store data as a mix of identity shards and derived shards, as well as that which stores and processes data as derived shards only (e.g., as depicted in FIG. 3).

A key management service 418, as described above in connection with FIG. 2, is used to encrypt the data either prior to generating shards therefrom (e.g., encryption of the data directly), or the shards representing the data (e.g., encryption occurs on the shards after generating the shards from the data). As discussed in connection with FIG. 1, the key management service 418 may encrypt the data or shards, or, in the alternative, may provide cryptographic information that enables another entity, such as the customer, the customer device, or components of the data storage service 404, to perform the encryption. Cryptographic information usable to decrypt the data, such as a key identifier and an encrypted encryption or decryption key associated with the data, is only stored or otherwise made available within the home region, such as in a volume or other data store 420. In some embodiments, the volume or other data store 420 is separate from the volumes 406 used to store data, and in other embodiments, the aforementioned cryptographic information is simply stored in line with the shards on the volumes of durable storage 406.

As may be contemplated, with sufficient access to the cryptographic information made available and stored within the home region, an allowed entity 414 may decrypt the shards stored therein and recreate the data 402 without geographic restriction. However, by virtue of not having access to the requisite cryptographic information for decrypting the encrypted shards, an unauthorized or disallowed entity 416 in a non-home region cannot recreate the original data 402 regardless of the quantity or nature of the shards intercepted (e.g., the disallowed entity 416 can only receive encrypted, and thus unusable data 412, and cannot decrypt it).

In some embodiments, various aspects as described in connection with FIG. 4 are implemented in connection with, e.g., aspects of FIGS. 1-3, so as to allow a quantity of shards equal to or greater than the minimum quorum quantity to be stored in non-home regions, but still prevent unauthorized entities from being able to recover original data represented thereby. For example, in an example where a set of five shards is used to store data, any three of which may be used to recover the original data, three or more shards may be stored in a non-home region (e.g., for improved performance thereof), so long as no more than two of those shards stored within that non-home region remain unencrypted. The remainder is encrypted, and the relevant cryptographic information is stored, e.g., in connection with a key management service 418 within the home region.

FIG. 5 illustrates an example environment in which bundle- or grid-encoded data is stored and processed so as to control access thereto, in accordance with some embodiments.

Similarly to described above in connection with FIGS. 1-4, data 502 is submitted to a data storage service 504 for storage on a plurality of volumes 506, some of which are within home regions (as illustrated to the left of the vertical double line, the two illustrated home regions themselves being separated by a single vertical dotted line) and some of which are within non-home regions (as illustrated to the right of the vertical double line). In some embodiments and as illustrated, the data storage service 504 may process the data so as to generate data (identity) shards 508 and derived shards 510, where the data shards contain an original form of the data 502, while the derived shards 510 contain an encoded form of the data (e.g., as generated by one or more redundancy codes implemented by the data storage service 504, such as a linear erasure code). The shards 508, 510 may form a bundle of bundle-encoded shards, and in some embodiments, the bundle may be part of a grid of grid-encoded shards (with, e.g., both vertically derived and horizontally derived shards, as described in the incorporated references).

In the illustrated example, a quorum quantity of the shards 508, 510—the quantity sufficient to regenerate any of the shards, may be greater than the quantity of derived shards 510 placed in the non-home (foreign) region, so as to prevent a malicious or unauthorized entity 516 outside of the home region from recovering data therefrom, in accordance with embodiments described in connection with at least FIGS. 1-5 above. Similarly, the data may be read directly from (or processed/decrypted directly from, without necessitating the use of the redundancy code to regenerate the data) the data shards 508 and as such, an authorized entity 514 may recover such data 502 within the home region. In some embodiments, an encryption entity, such as a key management service 518 as previously and variously described in connection with at least FIGS. 1 through 5, encrypts the data 502 or some subset of the shards 508, 510, to further control access to the data within and outside of the home region.

As illustrated, the key management service 518 or other encryption entity may provide cryptographic information, such as an encryption key, to be used to encrypt some or all of the data or some or all of the shards. In some embodiments, as previously mentioned, the key management service 518 or other encryption entity may perform the encryption itself. The encryption key or other cryptographic information 520 may be stored in some or all of the volumes of the home region. In some of such embodiments, the cryptographic information 520 may be sharded, such as by using a shared secret cryptographic algorithm such as Shamir's Secret Sharing, such that a quorum quantity of such encryption key shards can be used to reconstruct the encryption key used to encrypt the data and/or the data shards 508. The quorum quantity sufficient to reconstruct the encryption key may be equal to (or, in some cases, different than) the quorum quantity sufficient to reconstruct a shard in the shard set 508, 510. As may be contemplated, while data shards 508 and derived shards 510 are illustrated in FIG. 5, other types of encoding and sharding (e.g., the use of an erasure code where the output shards are all derived shards 510), may be used in connection with a secret sharing or other encryption algorithm as described.

In some embodiments, only the shards within the home region are encrypted. In other embodiments, only the shards destined for the non-home region are encrypted, and such encryption takes place within the home region (where the cryptographic information used to encrypt the shards remains). In other embodiments, all shards are encrypted. In yet other embodiments, both data shards 508 and encrypted shards 510 are encrypted, or some (but not all) shards are encrypted regardless of type within both home and non-home regions. In embodiments where at least the data shards 508 are encrypted, the derived shards 510 may be constructed, e.g., within the home region, using partial sum contributions of the data shards 508, either before, in connection with, and/or after encryption (as applicable), then transferred to the non-home region. As may be contemplated, when other shards are to be regenerated, the checksum or other value associated with the generation with the derived shards 510 may be used to reconstruct one or more other designated other shards by transferring that value back to the home region, and subtracting the known partial sum contributions of other data shards 508 so as to generate the desired shard to be regenerated, in accordance with techniques described in the incorporated disclosures.

As may be contemplated, the foregoing combinations of techniques are not limited to those described, and other combinations are contemplated hereby, such as the added use of a storage history tracker 318 to prevent a quantity of derived shards equal to or greater than the quorum quantity for the shard set from being stored in non-home regions.

FIG. 6 illustrates an example process for geographically distributing shards so as to control access to data associated therewith in a distributed data storage system, in accordance with some embodiments.

At step 602, an entity, such as a data storage service as described above in connection with at least FIGS. 1 through 5, processes data received (e.g., from a customer entity as previously described) for storage as shards in multiple volumes of durable storage. The shards may be generated using one or more redundancy encodings as described herein, and the associated requests may indicate a region (e.g., a home region), to be associated with the data, and therefore the shards.

At step 604, the shards resulting from the processing of step 602 are apportioned, such as by the data storage service, to volumes of durable storage, which may be distributed across one or more disparate regions. As previously mentioned, such distribution may be performed for various reasons, including further redundancy, ease and/or efficiency of routing, and the like.

At step 606, the identity, content, and/or type of unique shards (e.g., by shard index) stored in a given geographic location is tracked and, in some cases limited by, an entity such as a storage history tracker as previously described. As mentioned, storage history trackers may be implemented in some or all regions, as in some embodiments, a region considered to be a “home” region for a given set of data may be a non-home region for a different set of data stored thereon.

At step 608, the range, type, quantity, and/or content of shards used for replacing one stored shard for another may, for various reasons as discussed herein, be constrained in accordance with the limitations and/or tracking implemented in connection with step 506. For example, a given set of data may be considered (e.g., by its content, or as part of an associated data storage request) geographically sensitive or limited, and may be stored and its associated shards tracked so as to prevent an unwanted entity in a non-home region from ever accessing a sufficient quantity and/or variety of shards to recreate that data. However, data that is designated as not geographically sensitive may have associated shards distributed without such restrictions. As may be contemplated, the techniques discussed may be implemented granularly, such as by data set.

FIG. 7 illustrates an example process for control geographic location and access to cryptographic information so as to control access to data stored on a distributed data storage system, in accordance with some embodiments.

At step 702, an entity, such as a data storage service as described above in connection with at least FIGS. 1 through 6, processes data received (e.g., from a customer entity as previously described) for storage as shards in multiple volumes of durable storage, and, either before or after associating the data with shards, may encrypt the data or the shards (e.g., using a key management service). The key management service may perform the encryption directly on the data, on the shards, or provide cryptographic information to a different entity for encryption, and the associated requests may indicate a region (e.g., a home region), to be associated with the data, and therefore the shards.

At step 704, the encryption information associated with data so encrypted is stored in connection with the data and/or shards in the home region, and not in any other region. As previously discussed, such storage may be in a separate volume or other data store from those storing the data, or, in some embodiments, is stored in line with the shards on the same volumes.

At step 706, access, such as by an unwanted or unauthorized entity within a non-home region, to the cryptographic information is limited, such as by geography or other measures (e.g., active firewalling). Conversely, at step 608, access to the cryptographic information is allowed for entities within the home region for that data, so as to enable such entities to decrypt the shards into the original data as desired.

FIG. 8 illustrates an example process for the use of shared secrets, such as by use of Shamir's Secret Sharing, to control access to data stored on a distributed data storage system, in accordance with some embodiments.

At step 802, data received, such as from a client entity as previously described, is processed by, e.g., a data storage system or service, with one or more redundancy codes to generate identity (data) and/or derived shards of a shard set to represent the received data. As previously discussed, the redundancy code used may be a linear erasure code, such as Reed-Solomon, and may generate only derived shards, a bundle of bundle-encoded shards (e.g., data and derived shards), and/or a grid of grid-encoded shards (which may include a plurality of bundles).

At step 804, the identity shards generated in step 802 are encrypted, such as using cryptographic information provided by a key management service as previously described, for storage in volumes associated with main (home) regions, which may be designated within one or more data storage requests provided to the data storage system or service (e.g., those submitted in connection with the data received in step 802). At step 806, an entity, such as the data storage system or the key management system, further processes the cryptographic information to generate one or more shared secrets to be distributed, e.g., across volumes within the main (home regions) just mentioned. As previously discussed, such a shared secret may be configured such that a quorum quantity (subset) of shards generated from the encryption key are sufficient to recover the entire encryption key used to encrypt (and usable to decrypt) the data shards. The sharded, shared secret may be stored on an equal or different number of volumes in connection with or separately from the data shards.

At step 808, the derived shards generated in step 802 are stored in foreign (non-home or alternate) regions in a way that prevents unauthorized access to the data within those foreign regions, such as by preventing the key from leaving the home region, or by placing a quantity of the derived shards that is less than the quorum quantity sufficient to rebuild the incoming data or another shard in the shard set. As previously mentioned, a storage history tracker may be used for this purpose.

At step 810, for authorized entities (e.g., those in the home region and with access to a sufficient quantity of encryption key shards), data access is provided by the data storage system so long as a sufficient quantity of the sharded cryptographic information is obtained, thereby allowing for decryption and regeneration of the data stored therein.

FIG. 9 illustrates an example process for reconstructing or otherwise generating data in access-controlled data storage systems using partial sums and partial sum reconstruction in accordance with some embodiments.

At step 902, data received, such as from client entities associated with the data storage system, are processed with a redundancy code, such as by entities within the home region (e.g., the volumes, or parts of the data storage system or service), so as to generate data shards in step 902 and derived shards in step 904. At step 906, the generated derived shards are transferred to the non-home (foreign, alternate) regions, such as, for example, to prevent any information regarding the generation thereof from also being made known outside of the home region.

At step 908, in connection with a data request (e.g., of the data storage service or of a client device connected therewith, such as for retrieval of data or regeneration of one or more shards), the total checksum or other generated value associated with one or more of the derived shards in the foreign region is transferred back to the home region, and the partial sum contribution to those derived shards of each other shard in a quorum within the home region is calculated. The remaining value, according to techniques discussed in further detail in the incorporated disclosures, is used to generate the data and/or the request shard for regeneration at step 910, in a fashion that prevents such information from being known outside of the home region (e.g., by being calculated within only the home region).

FIG. 10 illustrates an example environment 1000 where a redundancy encoding technique is applied to data stored in durable storage as described in connection with FIG. 1 and in accordance with an embodiment. The redundancy encoding technique illustrated in FIG. 10 is an example of a grid encoding technique wherein each identity shard is part of a first set of one or more identity shards which may be bundled with one or more derived shards in a first group or bundle (i.e., in one dimension or direction) and each identity shard is also part of at least a second set of one or more identity shards which may be bundled with one or more other derived shards in a second bundle or group (i.e., in a second dimension or direction). As is illustrated in FIG. 10, a grid encoding technique is often implemented as a two-dimensional grid, with each shard being part of two bundles (i.e., both “horizontal” and “vertical” bundles). However, a grid encoding technique may also be implemented as a three-dimensional grid, with each shard being part of three bundles, or a four-dimensional grid, with each shard being part of four bundles, or as a larger-dimensional grid. Additional details of grid encoding techniques are described in U.S. patent application Ser. No. 14/789,783, filed Jul. 1, 2015, entitled “GRID ENCODED DATA STORAGE SYSTEMS FOR EFFICIENT DATA REPAIR”, which is incorporated by reference herein.

In the example illustrated in FIG. 10, data 1002 from preliminary storage is provided for storage in durable storage using a redundancy encoding technique with both horizontal derived shards and vertical derived shards. In the example illustrated in FIG. 10, a first datacenter 1012 may contain data shards (denoted as a square shard with the letter “I”), horizontal derived shards (denoted as a triangular shard with the Greek letter “δ” or delta), and vertical derived shards (denoted as an inverted triangle with the Greek letter “δ”) all of which may be stored on durable storage volumes within the first datacenter 1012. A second datacenter 1014, which may be geographically and/or logically separate from the first datacenter 1012, may also contain data shards, horizontal derived shards, and/or vertical derived shards. A third datacenter 1016, which may be geographically and/or logically separate from the first datacenter 1012 and from the second datacenter 1014, may also contain data shards, horizontal derived shards, and/or vertical derived shards. As illustrated in FIG. 10, each of the three datacenters may be a single vertical bundle. In an embodiment, each of the datacenters can include multiple vertical bundles. As may be contemplated, the number of datacenters illustrated in FIG. 10 and/or the composition of the datacenters illustrated in FIG. 10 are merely illustrative examples and other numbers and/or compositions of datacenters may be considered as within the scope of the present disclosure. The datacenters may be co-located or may be located in one or more separate datacenter locations.

In the example illustrated in FIG. 10, the data 1002 may be copied to a data shard 1004 and, as a result of the change to the data in the data shard 1004, a horizontal derived shard 1006 associated with the data shard 1004 may be updated so that the horizontal derived shard 1006 may be used to reconstruct the data shard 1004 in the event of a loss of the data shard 1004. In the example illustrated in FIG. 10, the three shards enclosed by the dotted line (e.g., the data shard 1004, the data shard 1020, and the horizontal derived shard 1006) are a horizontal bundle 1018. In this example, the data shard 1020 is not affected by the changes to the data shard 1004 but the horizontal derived shard 1006 may need to be updated as a result of the changes to the data shard 1004.

Also as a result of the change to the data in the data shard 1004, one or more vertical derived shards 1008 related to the data shard 1004 may also be updated so that the vertical derived shards 1008 may be used to reconstruct the data shard 1004 in the event of a loss of the data shard 1004 and the horizontal derived shard 1006. In the example illustrated in FIG. 10, the shards in datacenter 1012 form a vertical bundle. In this example, the other data shards 1022 in the vertical bundle and/or the horizontal derived shards 1024 in the vertical bundle are not affected by the changes to the data shard 1004 but the vertical derived shards 1008 may need to be updated as a result of the changes to the data shard 1004. Finally, as a result of the change to the horizontal derived shard 1006, one or more vertical derived shards 1010 related to the horizontal derived shard 1006 in the vertical bundle in datacenter 1016 may also be updated so that the vertical derived shards 1010 may be used to reconstruct the horizontal derived shard 1006 in the event of a loss of the horizontal derived shard 1006 and the data shard 1004.

FIG. 11 illustrates an example environment 1100 where a redundancy encoding technique is applied to data stored in durable storage as described herein and in accordance with at least one embodiment. The redundancy encoding technique illustrated in FIG. 11 is an example of a bundle encoding technique wherein one or more identity shards (also referred to herein as “data shards”) may be bundled with one or more derived shards in a single group or dimension. Additional details of bundle encoding techniques are described in U.S. patent application Ser. No. 14/741,409, filed Jun. 16, 2015, entitled “ADAPTIVE DATA LOSS MITIGATION FOR REDUNDANCY CODING SYSTEMS”, which is incorporated by reference herein.

Data 1102 from preliminary storage may be sent to a data storage system 1104 for redundant storage. The data 1102 may be provided from the preliminary storage by any entity capable of transacting data with a data storage system, such as over a network (including the Internet). Examples include physical computing systems (e.g., servers, desktop computers, laptop computers, thin clients, and handheld devices such as smartphones and tablets), virtual computing systems (e.g., as may be provided by the computing resource service provider using one or more resources associated therewith), services (e.g., such as those connecting to the data storage system 1104 via application programming interface calls, web service calls, or other programmatic methods), and the like.

The data storage system 1104 may be any computing resource or collection of such resources capable of processing data for storage, and interfacing with one or more resources to cause the storage of the processed data. Examples include physical computing systems (e.g., servers, desktop computers, laptop computers, thin clients, and handheld devices such as smartphones and tablets), virtual computing systems (e.g., as may be provided by the computing resource service provider using one or more resources associated therewith), services (e.g., such as those connecting to the data storage system 1104 via application programming interface calls, web service calls, or other programmatic methods), and the like. In some embodiments, the resources of the data storage system 1104, as well as the data storage system 1104 itself, may be one or more resources of a computing resource service provider, such as that described in further detail below. In some embodiments, the data storage system 1104 and/or the computing resource service provider provides one or more archival storage services and/or data storage services, such as those described herein, through which a client entity may provide data such as the data 1102 for storage in preliminary storage and/or the data storage system 1104.

Data 1102 may include any quantity of data in any format. For example, the data 1102 may be a single file or may include several files. The data 1102 may also be encrypted by, for example, a component of the data storage system 1104 after the receipt of the data 1102 in response to a request made by a customer of the data storage system 1104 and/or by a customer of computing resource service provider.

The data storage system 1104 may sort one or more identity shards according to one or more criteria (and in the case where a plurality of criteria is used for the sort, such criteria may be sorted against sequentially and in any order appropriate for the implementation). Such criteria may be attributes common to some or all of the archives, and may include the identity of the customer, the time of upload and/or receipt (by the data storage system 1104), archive size, expected volume and/or shard boundaries relative to the boundaries of the archives (e.g., so as to minimize the number of archives breaking across shards and/or volumes), and the like. As mentioned, such sorting may be performed so as to minimize the number of volumes on which any given archive is stored. Such techniques may be used, for example, to optimize storage in embodiments where the overhead of retrieving data from multiple volumes is greater than the benefit of parallelizing the retrieval from the multiple volumes. Information regarding the sort order may be persisted, for example, by the data storage system 1104, for use in techniques described in further detail herein.

As previously discussed, in some embodiments, one or more indices may be generated in connection with, for example, the order in which the archives are to be stored, as determined in connection with the sorting mentioned immediately above. The index may be a single index or may be a multipart index, and may be of any appropriate architecture and may be generated according to any appropriate method. For example, the index may be a bitmap index, dense index, sparse index, or a reverse index. Embodiments where multiple indices are used may implement different types of indices according to the properties of the identity shard to be stored via the data storage system 1104. For example, a data storage system 1104 may generate a dense index for archives over a specified size (as the size of the index itself may be small relative to the number of archives stored on a given volume), and may also generate a sparse index for archives under that specified size (as the ratio of index size to archive size increases).

The data storage system 1104 is connected to or includes one or more volumes 1106 on which archives or identity shards may be stored. The generated indices for the archives may also be stored on the one or more volumes 1106. The volumes 1106 may be any container, whether logical or physical, capable of storing or addressing data stored therein. In some embodiments, the volumes 1106 may map on a one-to-one basis with the data storage devices on which they reside (and, in some embodiments, may actually be the data storage devices themselves). In some embodiments, the size and/or quantity of the volumes 1106 may be independent of the capacity of the data storage devices on which they reside (e.g., a set of volumes may each be of a fixed size such that a second set of volumes may reside on the same data storage devices as the first set). The data storage devices may include any resource or collection of resources, such as those of a computing resource service provider, that are capable of storing data, and may be physical, virtual, or some combination of the two.

As previously described, one or more indices may, in some embodiments, be generated for each volume of the plurality of volumes 1106, and in such embodiments, may reflect the archives stored on the respective volume to which it applies. In embodiments where sparse indices are used, a sparse index for a given volume may point to a subset of archives stored or to be stored on that volume, such as those archives which may be determined to be stored on the volume based on the sort techniques mentioned previously. The subset of volumes to be indexed in the sparse index may be selected on any appropriate basis and for any appropriate interval. For example, the sparse index may identify the archives to be located at every x blocks or bytes of the volume (e.g., independently of the boundaries and/or quantity of the archives themselves). As another example, the sparse index may identify every nth archive to be stored on the volume. As may be contemplated, the indices (whether sparse or otherwise), may be determined prior to actually storing the archives on the respective volumes. In some embodiments, a space may be reserved on the volumes so as to generate and/or write the appropriate indices after the archives have been written to the volumes 1106.

In some embodiments, the sparse indices are used in connection with information relating to the sort order of the archives so as to locate archives without necessitating the use of dense indices, for example, those that account for every archive on a given volume. Such sort order-related information may reside on the volumes 1106 or, in some embodiments, on an entity separate from the volumes 1106, such as in a data store or other resource of a computing resource service provider. Similarly, the indices may be stored on the same volumes 1106 to which they apply, or, in some embodiments, separately from such volumes 1106.

The archives may be stored, bit for bit (e.g., the “original data” of the archives), on a subset of the plurality of volumes 1106. Also as mentioned, appropriate indices may also be stored on the applicable subset of the plurality of volumes 1106. The original data of the archives is stored as a plurality of shards across a plurality of volumes, the quantity of which (either shards or volumes, which in some cases may have a one to one relationship) may be predetermined according to various factors, including the number of total shards that may be used to reconstruct the original data using a redundancy encode. In some embodiments, the number of volumes used to store the original data of the archives is the quantity of shards that may be used to reconstruct the original data from a plurality of shards generated by a redundancy code from the original data. As an example, FIG. 11 illustrates five volumes, three of which contain original data archives 1108 and two of which contain derived data 1110, such as redundancy encoded data. In the illustrated example, the redundancy code used may require any three shards to regenerate original data, and therefore, a quantity of three volumes may be used to write the original data (even prior to any application of the redundancy code).

The volumes 1106 bearing the original data archives 1108 may each contain or be considered as shards unto themselves. For example, the data 1102 from preliminary storage may be copied directly only to a volume if, as described herein, it is stored in preliminary storage as an identity shard. In embodiments where the sort order-related information and/or the indices are stored on the applicable volumes 1106, they may be included with the original data of the archives and stored therewith as shards, as previously mentioned. In the illustrated example, the original data archives 1108 are stored as three shards (which may include the respective indices) on three associated volumes 1106. In some embodiments, the original data archives 1108 (and, in embodiments where the indices are stored on the volumes, the indices) are processed by an entity associated with, for example, the archival storage service, using a redundancy code, such as an erasure code, so as to generate the remaining shards, which contain encoded information rather than the original data of the original data archives. The original data archives 1108 may be processed using the redundancy code at any time after being sorted, such as prior to being stored on the volumes, contemporaneously with such storage, or after such storage.

Such encoded information may be any mathematically computed information derived from the original data, and depends on the specific redundancy code applied. As mentioned, the redundancy code may include erasure codes (such as online codes, Luby transform codes, raptor codes, parity codes, Reed-Solomon codes, Cauchy codes, Erasure Resilient Systematic Codes, regenerating codes, or maximum distance separable codes) or other forward error correction codes. In some embodiments, the redundancy code may implement a generator matrix that implements mathematical functions to generate multiple encoded objects correlated with the original data to which the redundancy code is applied. In some of such embodiments, an identity matrix is used, wherein no mathematical functions are applied and the original data (and, if applicable, the indices) are allowed to pass straight through. In such embodiments, it may be therefore contemplated that the volumes bearing the original data (and the indices) may correspond to objects encoded from that original data by the identity matrix rows of the generator matrix of the applied redundancy code, while volumes bearing derived data correspond to other rows of the generator matrix. In the example illustrated in FIG. 11, the five volumes 1106 include three volumes that have shards (e.g., identity shards) corresponding to the original data of the original data archives 1108, while two have encoded shards corresponding to the derived data 1110 (also referred to herein as “derived shards”). As illustrated in FIG. 11, the three original data archives 1108, and the two encoded shards corresponding to the derived data 1110 form a bundle 1118 (denoted by the dashed line). In this example, the applied redundancy code may result in the data being stored in a “3:5” scheme, wherein any three shards of the five stored shards are required to regenerate the original data, regardless of whether the selected three shards contain the original data or the derived data.

In some embodiments, if one of the volumes 1106 or a shard stored thereon is detected as corrupt, missing, or otherwise unavailable, a new shard may be generated using the redundancy code applied to generate the shard(s) in the first instance. The new shard may be stored on the same volume or a different volume, depending, for example, on whether the shard is unavailable for a reason other than the failure of the volume. The new shard may be generated by, for example, the data storage system 1104, by using a quantity of the remaining shards that may be used to regenerate the original data (and the index, if applicable) stored across all volumes, regenerating that original data, and either replacing the portion of the original data corresponding to that which was unavailable (in the case that the unavailable shard contains original data), or reapplying the redundancy code so as to provide derived data for the new shard.

As previously discussed, in some embodiments, the new shard may be a replication of the unavailable shard, such as may be the case if the unavailable shard includes original data of the archive(s). In some embodiments, the new shard may be selected from a set of potential shards as generated by, for example, a generator matrix associated with the redundancy code, so as to differ in content from the unavailable shard (such as may be the case if the unavailable shard was a shard generated from the redundancy code, and therefore contains no original data of the archives). As discussed throughout this disclosure, the shards and/or volumes may be grouped and/or layered.

In some embodiments, retrieval of an archive stored in accordance with the techniques described herein may be requested by a client entity under control of a customer of the computing resource service provider and/or the archival storage service provided therefrom, as described in further detail throughout this disclosure. In response to the request, the data storage system 1104 may locate, based on information regarding the sort order of the archives as stored on the volumes 1106, the specific volume on which the archive is located. Thereafter, the index or indices may be used to locate the specific archive, whereupon it may be read from the volume and provided to a requesting client entity. In embodiments where sparse indices are employed, the sort order information may be used to locate the nearest location (or archive) that is sequentially prior to the requested archive, whereupon the volume is sequentially read from that location or archive until the requested archive is found. In embodiments where multiple types of indices are employed, the data storage system 1104 may initially determine which of the indices includes the most efficient location information for the requested archive based on assessing the criteria used to deploy the multiple types of indices in the first instance. For example, if archives under a specific size are indexed in a sparse index and archives equal to or over that size are indexed in a parallel dense index, the data storage system 1104 may first determine the size of the requested archive, and if the requested archive is larger than or equal to the aforementioned size boundary, the dense index may be used so as to more quickly obtain the precise location of the requested archive.

In some embodiments, the volumes 1106 may be grouped such that each given volume has one or more cohorts 1116. In such embodiments, a volume set (e.g., all of the illustrated volumes 1106) may be implemented such that incoming archives to be stored on the volumes are apportioned to one or more failure-decorrelated subsets of the volume set. The failure-decorrelated subsets may be some combination of the volumes 1106 of the volume subset, where the quantity of volumes correlates to a number of shards required for the implemented redundancy code. In the illustrated example, the overall volume set may comprise two failure-decorrelated subsets (volumes in a horizontal row) where a given constituent volume is paired with a cohort (e.g., the cohort 1116). In some embodiments, the incoming archives are apportioned to one or more of the cohorts in the failure-decorrelated subset according to, for example, a predetermined sequence, based on one or more attributes of the incoming archives, and the like.

The illustrated example shows, for clarity, a pair-wise cohort scheme, though other schemes are contemplated as within scope of this disclosure, some of which are outlined in greater detail herein. In the illustrated example, some of the volumes of the volume set store original data of incoming archives (e.g., original data archives 1108 and/or original data archives 1112), while others store derived data (e.g., derived data 1110 and derived data 1114). The data storage system 1104 may implement a number of failure-decorrelated subsets to which to store the incoming archives, and in the pair-wise scheme pictured, the volumes used for a given archive may differ based on some arbitrary or predetermined pattern. As illustrated, some archives may be apportioned to volumes of a given cohort that are assigned to one pattern, or failure-decorrelated subset as shown by original data archives 1108 and derived data 1110, while others are apportioned to volumes in a different pattern as shown by original data archives 1112 and derived data 1114. The patterns, as mentioned, may be arbitrary, predefined, and/or in some cases, sensitive to attributes of the incoming data. In some embodiments, patterns may not be used at all, and the member volumes of a given failure-decorrelated subset may be selected randomly from a pool of volumes in the volume set.

FIG. 12 illustrates an example process 1200 for applying redundancy encoding techniques to data stored in durable storage as described herein in connection with FIG. 1 and in accordance with at least one embodiment. The example process 1200 illustrated in FIG. 12 illustrates the processing, indexing, storing, and retrieving of data stored on a data storage system. The data may be retrieved from preliminary storage as described herein. The example process 1200 illustrated in FIG. 12 may be used in conjunction with a grid encoding technique such that described in connection with FIG. 10, in conjunction with a bundle encoding technique such as that described in connection with FIG. 11, or with some other redundancy encoding technique. A data storage service such as described elsewhere herein may perform the example process 1200 illustrated in FIG. 12.

At step 1202, a resource of a data storage system, such as that implementing a redundancy code to store archives, determines which subset (e.g., quantity) of a plurality of volumes that may be used to recreate the original data to be stored, based on, for example, a redundancy code to be applied to the archives. For example, in accordance with the techniques described above in connection with FIG. 8, such information may be derived from predetermining the parameters of an erasure code with a specified ratio of shards that may be used to regenerate the original data from which they derive to the total number of shards generated from the application of the erasure code.

At step 1204, original data, such as original data of archives received from customers of, for example, a data storage system or a computing resource service provider as described in further detail herein, is sorted by, for example, the data storage system or associated entity. For example, the sort order may be implemented on one or more attributes of the incoming data.

At step 1206, one or more indices, such as sparse indices, are generated by, for example, the data storage system, for the original data. For example, there may be more than one index for a given volume, and such parallel indices may be of different types depending on the nature of the archives and/or original data being stored.

At step 1208, the original data is stored, for example, by the data storage system, on the subset of volumes determined in connection with step 1202, and in the order determined in step 1204. Additionally, at step 1210, the index generated in step 1206 is stored, for example, by the data storage system, on an appropriate entity. For example, the index may be stored as part of a shard on which the original data is stored, or, in some embodiments, may be stored on a separate resource from that which persists the volume.

At step 1212, the redundancy code is applied, for example, by the data storage system, to the determined subset of volumes (e.g., shards, as previously described herein), and additional shards containing data derived from the application of the redundancy code are stored on a predetermined quantity of volumes outside the subset determined in connection with step 1202. For example, the ratio of volumes (e.g., shards as previously described herein) storing the original data to the overall quantity of volumes (including those storing the derived data generated in this step 1212) may be prescribed by the recovery/encoding ratio of the redundancy code applied herein.

At step 1214, in normal operation, requested data may be retrieved, for example, by the data storage system, directly from the subset of volumes storing the original data, without necessitating retrieval and further processing (e.g., by the redundancy code) from the volumes storing the derived data generated in step 1212. However, at step 1216, if any of the volumes are determined, for example, by the data storage system, to be unavailable, a replacement shard may be generated by the data storage system by reconstructing the original data from a quorum of the remaining shards, and re-encoding using the redundancy code to generate the replacement shard. The replacement shard may be the same or may be different from the shard detected as unavailable.

FIG. 13 illustrates aspects of an example environment 1300 for implementing aspects in accordance with various embodiments. As will be appreciated, although a web-based environment is used for purposes of explanation, different environments may be used, as appropriate, to implement various embodiments. The environment includes an electronic client device 1302, which can include any appropriate device operable to send and/or receive requests, messages, or information over an appropriate network 1304 and, in some embodiments, convey information back to a user of the device. Examples of such client devices include personal computers, cell phones, handheld messaging devices, laptop computers, tablet computers, set-top boxes, personal data assistants, embedded computer systems, electronic book readers, and the like. The network can include any appropriate network, including an intranet, the Internet, a cellular network, a local area network, a satellite network or any other such network and/or combination thereof. Components used for such a system can depend at least in part upon the type of network and/or environment selected. Many protocols and components for communicating via such a network are well known and will not be discussed herein in detail. Communication over the network can be enabled by wired or wireless connections and combinations thereof. In this example, the network includes the Internet and/or other publicly-addressable communications network, as the environment includes a web server 1306 for receiving requests and serving content in response thereto, although for other networks an alternative device serving a similar purpose could be used as would be apparent to one of ordinary skill in the art.

The illustrative environment includes at least one application server 1308 and a data store 1310. It should be understood that there can be several application servers, layers or other elements, processes or components, which may be chained or otherwise configured, which can interact to perform tasks such as obtaining data from an appropriate data store. Servers, as used herein, may be implemented in various ways, such as hardware devices or virtual computer systems. In some contexts, servers may refer to a programming module being executed on a computer system. As used herein, unless otherwise stated or clear from context, the term “data store” refers to any device or combination of devices capable of storing, accessing and retrieving data, which may include any combination and number of data servers, databases, data storage devices and data storage media, in any standard, distributed, virtual or clustered environment. The application server can include any appropriate hardware, software and firmware for integrating with the data store as needed to execute aspects of one or more applications for the client device, handling some or all of the data access and business logic for an application. The application server may provide access control services in cooperation with the data store and is able to generate content including, but not limited to, text, graphics, audio, video and/or other content usable to be provided to the user, which may be served to the user by the web server in the form of HyperText Markup Language (“HTML”), Extensible Markup Language (“XML”), JavaScript, Cascading Style Sheets (“CSS”), JavaScript Object Notation (JSON), and/or another appropriate client-side structured language. Content transferred to a client device may be processed by the client device to provide the content in one or more forms including, but not limited to, forms that are perceptible to the user audibly, visually and/or through other senses. The handling of all requests and responses, as well as the delivery of content between the client device 1302 and the application server 1308, can be handled by the web server using PHP: Hypertext Preprocessor (“PHP”), Python, Ruby, Perl, Java, HTML, XML, JSON, and/or another appropriate server-side structured language in this example. Further, operations described herein as being performed by a single device may, unless otherwise clear from context, be performed collectively by multiple devices, which may form a distributed and/or virtual system.

The data store 1310 can include several separate data tables, databases, data documents, dynamic data storage schemes and/or other data storage mechanisms and media for storing data relating to a particular aspect of the present disclosure. For example, the data store illustrated may include mechanisms for storing production data 1312 and user information 1316, which can be used to serve content for the production side. The data store also is shown to include a mechanism for storing log data 1314, which can be used for reporting, analysis or other such purposes. It should be understood that there can be many other aspects that may need to be stored in the data store, such as page image information and access rights information, which can be stored in any of the above listed mechanisms as appropriate or in additional mechanisms in the data store 1310. The data store 1310 is operable, through logic associated therewith, to receive instructions from the application server 1308 and obtain, update or otherwise process data in response thereto. The application server 1308 may provide static, dynamic, or a combination of static and dynamic data in response to the received instructions. Dynamic data, such as data used in web logs (blogs), shopping applications, news services and other such applications may be generated by server-side structured languages as described herein or may be provided by a content management system (“CMS”) operating on, or under the control of, the application server. In one example, a user, through a device operated by the user, might submit a search request for a certain type of item. In this case, the data store might access the user information to verify the identity of the user and can access the catalog detail information to obtain information about items of that type. The information then can be returned to the user, such as in a results listing on a web page that the user is able to view via a browser on the user device 1302. Information for a particular item of interest can be viewed in a dedicated page or window of the browser. It should be noted, however, that embodiments of the present disclosure are not necessarily limited to the context of web pages, but may be more generally applicable to processing requests in general, where the requests are not necessarily requests for content.

Each server typically will include an operating system that provides executable program instructions for the general administration and operation of that server and typically will include a computer-readable storage medium (e.g., a hard disk, random access memory, read only memory, etc.) storing instructions that, when executed (i.e., as a result of being executed) by a processor of the server, allow the server to perform its intended functions.

The environment, in one embodiment, is a distributed and/or virtual computing environment utilizing several computer systems and components that are interconnected via communication links, using one or more computer networks or direct connections. However, it will be appreciated by those of ordinary skill in the art that such a system could operate equally well in a system having fewer or a greater number of components than are illustrated in FIG. 13. Thus, the depiction of the system 1300 in FIG. 13 should be taken as being illustrative in nature and not limiting to the scope of the disclosure.

The various embodiments further can be implemented in a wide variety of operating environments, which in some cases can include one or more user computers, computing devices or processing devices which can be used to operate any of a number of applications. User or client devices can include any of a number of computers, such as desktop, laptop or tablet computers running a standard operating system, as well as cellular, wireless and handheld devices running mobile software and capable of supporting a number of networking and messaging protocols. Such a system also can include a number of workstations running any of a variety of commercially-available operating systems and other known applications for purposes such as development and database management. These devices also can include other electronic devices, such as dummy terminals, thin-clients, gaming systems and other devices capable of communicating via a network. These devices also can include virtual devices such as virtual machines, hypervisors and other virtual devices capable of communicating via a network.

Various embodiments of the present disclosure utilize at least one network that would be familiar to those skilled in the art for supporting communications using any of a variety of commercially-available protocols, such as Transmission Control Protocol/Internet Protocol (“TCP/IP”), User Datagram Protocol (“UDP”), protocols operating in various layers of the Open System Interconnection (“OSI”) model, File Transfer Protocol (“FTP”), Universal Plug and Play (“UpnP”), Network File System (“NFS”), Common Internet File System (“CIFS”), and AppleTalk. The network can be, for example, a local area network, a wide-area network, a virtual private network, the Internet, an intranet, an extranet, a public switched telephone network, an infrared network, a wireless network, a satellite network, and any combination thereof. In some embodiments, connection-oriented protocols may be used to communicate between network endpoints. Connection-oriented protocols (sometimes called connection-based protocols) are capable of transmitting data in an ordered stream. Connection-oriented protocols can be reliable or unreliable. For example, the TCP protocol is a reliable connection-oriented protocol. Asynchronous Transfer Mode (“ATM”) and Frame Relay are unreliable connection-oriented protocols. Connection-oriented protocols are in contrast to packet-oriented protocols such as UDP that transmit packets without a guaranteed ordering.

In embodiments utilizing a web server, the web server can run any of a variety of server or mid-tier applications, including Hypertext Transfer Protocol (“HTTP”) servers, FTP servers, Common Gateway Interface (“CGI”) servers, data servers, Java servers, Apache servers, and business application servers. The server(s) also may be capable of executing programs or scripts in response to requests from user devices, such as by executing one or more web applications that may be implemented as one or more scripts or programs written in any programming language, such as Java®, C, C# or C++, or any scripting language, such as Ruby, PHP, Perl, Python or TCL, as well as combinations thereof. The server(s) may also include database servers, including without limitation those commercially available from Oracle®, Microsoft®, Sybase®, and IBM® as well as open-source servers such as MySQL, Postgres, SQLite, MongoDB, and any other server capable of storing, retrieving, and accessing structured or unstructured data. Database servers may include table-based servers, document-based servers, unstructured servers, relational servers, non-relational servers or combinations of these and/or other database servers.

The environment can include a variety of data stores and other memory and storage media as discussed above. These can reside in a variety of locations, such as on a storage medium local to (and/or resident in) one or more of the computers or remote from any or all of the computers across the network. In a particular set of embodiments, the information may reside in a storage-area network (“SAN”) familiar to those skilled in the art. Similarly, any necessary files for performing the functions attributed to the computers, servers or other network devices may be stored locally and/or remotely, as appropriate. Where a system includes computerized devices, each such device can include hardware elements that may be electrically coupled via a bus, the elements including, for example, at least one central processing unit (“CPU” or “processor”), at least one input device (e.g., a mouse, keyboard, controller, touch screen or keypad) and at least one output device (e.g., a display device, printer or speaker). Such a system may also include one or more storage devices, such as disk drives, optical storage devices and solid-state storage devices such as random access memory (“RAM”) or read-only memory (“ROM”), as well as removable media devices, memory cards, flash cards, etc.

Such devices also can include a computer-readable storage media reader, a communications device (e.g., a modem, a network card (wireless or wired), an infrared communication device, etc.), and working memory as described above. The computer-readable storage media reader can be connected with, or configured to receive, a computer-readable storage medium, representing remote, local, fixed, and/or removable storage devices as well as storage media for temporarily and/or more permanently containing, storing, transmitting, and retrieving computer-readable information. The system and various devices also typically will include a number of software applications, modules, services or other elements located within at least one working memory device, including an operating system and application programs, such as a client application or web browser. In addition, customized hardware might also be used and/or particular elements might be implemented in hardware, software (including portable software, such as applets) or both. Further, connection to other computing devices such as network input/output devices may be employed.

Storage media and computer readable media for containing code, or portions of code, can include any appropriate media known or used in the art, including storage media and communication media, such as, but not limited to, volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage and/or transmission of information such as computer readable instructions, data structures, program modules or other data, including RAM, ROM, Electrically Erasable Programmable Read-Only Memory (“EEPROM”), flash memory or other memory technology, Compact Disc Read-Only Memory (“CD-ROM”), digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices or any other medium which can be used to store the desired information and which can be accessed by the system device. Based on the disclosure and teachings provided herein, a person of ordinary skill in the art will appreciate other ways and/or methods to implement the various embodiments.

The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense. It will, however, be evident that various modifications and changes may be made thereunto without departing from the broader spirit and scope of the invention as set forth in the claims.

Other variations are within the spirit of the present disclosure. Thus, while the disclosed techniques are susceptible to various modifications and alternative constructions, certain illustrated embodiments thereof are shown in the drawings and have been described above in detail. It should be understood, however, that there is no intention to limit the invention to the specific form or forms disclosed, but on the contrary, the intention is to cover all modifications, alternative constructions and equivalents falling within the spirit and scope of the invention, as defined in the appended claims.

The use of the terms “a” and “an” and “the” and similar referents in the context of describing the disclosed embodiments (especially in the context of the following claims) are to be construed to cover both the singular and the plural, unless otherwise indicated herein or clearly contradicted by context. The terms “comprising,” “having,” “including” and “containing” are to be construed as open-ended terms (i.e., meaning “including, but not limited to,”) unless otherwise noted. The term “connected,” when unmodified and referring to physical connections, is to be construed as partly or wholly contained within, attached to or joined together, even if there is something intervening. Recitation of ranges of values herein are merely intended to serve as a shorthand method of referring individually to each separate value falling within the range, unless otherwise indicated herein and each separate value is incorporated into the specification as if it were individually recited herein. The use of the term “set” (e.g., “a set of items”) or “subset” unless otherwise noted or contradicted by context, is to be construed as a nonempty collection comprising one or more members. Further, unless otherwise noted or contradicted by context, the term “subset” of a corresponding set does not necessarily denote a proper subset of the corresponding set, but the subset and the corresponding set may be equal.

Conjunctive language, such as phrases of the form “at least one of A, B, and C,” or “at least one of A, B and C,” unless specifically stated otherwise or otherwise clearly contradicted by context, is otherwise understood with the context as used in general to present that an item, term, etc., may be either A or B or C, or any nonempty subset of the set of A and B and C. For instance, in the illustrative example of a set having three members, the conjunctive phrases “at least one of A, B, and C” and “at least one of A, B and C” refer to any of the following sets: {A}, {B}, {C}, {A, B}, {A, C}, {B, C}, {A, B, C}. Thus, such conjunctive language is not generally intended to imply that certain embodiments require at least one of A, at least one of B and at least one of C each to be present.

Operations of processes described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. Processes described herein (or variations and/or combinations thereof) may be performed under the control of one or more computer systems configured with executable instructions and may be implemented as code (e.g., executable instructions, one or more computer programs or one or more applications) executing collectively on one or more processors, by hardware or combinations thereof. The code may be stored on a computer-readable storage medium, for example, in the form of a computer program comprising a plurality of instructions executable by one or more processors. The computer-readable storage medium may be non-transitory. In some embodiments, the code is stored on set of one or more non-transitory computer-readable storage media having stored thereon executable instructions that, when executed (i.e., as a result of being executed) by one or more processors of a computer system, cause the computer system to perform operations described herein. The set of non-transitory computer-readable storage media may comprise multiple non-transitory computer-readable storage media and one or more of individual non-transitory storage media of the multiple non-transitory computer-readable storage media may lack all of the code while the multiple non-transitory computer-readable storage media collectively store all of the code.

Accordingly, in some examples, computer systems are configured to implement one or more services that singly or collectively perform operations of processes described herein. Such computer systems may, for instance, be configured with applicable hardware and/or software that enable the performance of the operations. Further, computer systems that implement various embodiments of the present disclosure may, in some examples, be single devices and, in other examples, be distributed computer systems comprising multiple devices that operate differently such that the distributed computer system performs the operations described herein and such that a single device may not perform all operations.

The use of any and all examples, or exemplary language (e.g., “such as”) provided herein, is intended merely to better illuminate embodiments of the invention and does not pose a limitation on the scope of the invention unless otherwise claimed. No language in the specification should be construed as indicating any non-claimed element as essential to the practice of the invention.

Embodiments of this disclosure are described herein, including the best mode known to the inventors for carrying out the invention. Variations of those embodiments may become apparent to those of ordinary skill in the art upon reading the foregoing description. The inventors expect skilled artisans to employ such variations as appropriate and the inventors intend for embodiments of the present disclosure to be practiced otherwise than as specifically described herein. Accordingly, the scope of the present disclosure includes all modifications and equivalents of the subject matter recited in the claims appended hereto as permitted by applicable law. Moreover, any combination of the above-described elements in all possible variations thereof is encompassed by the scope of the present disclosure unless otherwise indicated herein or otherwise clearly contradicted by context.

All references, including publications, patent applications, and patents, cited herein are hereby incorporated by reference to the same extent as if each reference were individually and specifically indicated to be incorporated by reference and were set forth in its entirety herein. 

What is claimed is:
 1. A computer-implemented method, comprising: in response to obtaining a data storage request whose fulfillment involves storing data in a plurality of volumes of durable storage of a data storage system, the data storage request specifying a home region of a plurality of regions, storing the data by at least: using a redundancy code, redundancy coding the data into a bundle of bundle-encoded shards that includes a set of data shards and a set of derived shards, the set of data shards including an original form of the data, the set of derived shards including a redundancy-coded form of the data, a quorum quantity of the bundle of bundle-encoded shards being sufficient to recreate the data via the redundancy code, the quorum quantity being less than a quantity of shards in the bundle; encrypting the set of data shards using an encryption key to produce an encrypted set of data shards; processing the encryption key so as to generate a set of encryption key shards, the set of encryption key shards having a size equal to a size of the set of data shards, a quorum quantity of the set of encryption key shards being: less than the quorum quantity of the bundle of bundle-encoded shards; and sufficient to regenerate the encryption key; distributing the encrypted set of data shards and the set of encryption key shards among a first set of volumes of the plurality of volumes, the first set of volumes being located in the home region; storing the set of derived shards among a second set of volumes of the plurality of volumes, the second set of volumes located outside of the home region; and tracking shard storage in the second set of volumes so as to prevent a total number of shards of the set of derived shards from being stored among the second set of volumes such that a number of shards that is stored outside of the home region is insufficient to recreate the data.
 2. The computer-implemented method of claim 1, wherein: the computer-implemented method further comprises encrypting the set of derived shards with the encryption key within the home region to produce an encrypted set of derived shards; and storing the set of derived shards includes storing the encrypted set of derived shards on the second set of volumes.
 3. The computer-implemented method of claim 1, further comprising generating the set of derived shards using the encrypted set of data shards.
 4. The computer-implemented method of claim 1, wherein the set of derived shards has a quantity of shards insufficient for regeneration of any of the data without at least one member of the encrypted set of data shards.
 5. A system, comprising: at least one computing device configured to implement one or more services, wherein the one or more services: in response to obtaining a data storage request whose fulfillment involves storing data in a plurality of volumes of durable storage of a data storage system, the data storage request specifying a home region of a plurality of regions, store the data by at least causing the one or more services to: using a redundancy code, redundancy code the data into a bundle of bundle-encoded shards that includes a set of data shards and set of derived shards, the set of data shards including an original form of the data, the set of derived shards including a redundancy-coded form of the data, a quorum quantity of the bundle being sufficient to recreate the data via the redundancy code, the quorum quantity being less than a quantity of shards in the bundle; encrypt the set of data shards using an encryption key to produce an encrypted set of data shards; process the encryption key so as to generate a set of encryption key shards, the set of encryption key shards having a size equal to a size of the set of data shards, a quorum quantity of the set of encryption key shards being: less than the quorum quantity of the bundle of bundle-encoded shards; and sufficient to regenerate the encryption key; distribute the encrypted set of data shards and some of the set of encryption key shards among a first set of volumes of the plurality of volumes, the first set of volumes being located in the home region; store the set of derived shards among a second set of volumes, the second set of volumes located outside of the home region; and track shard storage in the second set of volumes so as to prevent a total number of shards of the set of derived shards from being stored among the second set of volumes such that a number of shards that is stored outside of the home region is insufficient to recreate the data.
 6. The system of claim 5, wherein the set of derived shards has a quantity of shards insufficient for regeneration of any of the data without at least one member of the encrypted set of data shards.
 7. The system of claim 5, wherein the home region and a region outside the home region include a plurality of volumes to which the encrypted set of data shards and the set of derived shards are allocated.
 8. The system of claim 5, wherein the encryption key is processed using a shared secret cryptographic algorithm.
 9. The system of claim 8, wherein the shared secret cryptographic algorithm is Shamir's Secret Sharing.
 10. The system of claim 8, wherein the shared secret cryptographic algorithm is used to generate the set of encryption key shards, a subset of which is sufficient for reconstructing the encryption key.
 11. The system of claim 10, wherein at least some of the set of encrypted key shards are stored within the home region.
 12. The system of claim 5, wherein the redundancy code is a linear erasure code.
 13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least: in response to obtaining a data storage request whose fulfillment involves storing data in a plurality of volumes of durable storage of a data storage system, the data storage request specifying a home region of a plurality of regions, store the data by at least causing the computer system to: using a redundancy code, redundancy code the data into a bundle of bundle-encoded shards that includes a set of data shards and set of derived shards, the set of data shards including an original form of the data, the set of derived shards including a redundancy-coded form of the data, a quorum quantity of the bundle being sufficient to recreate the data via the redundancy code, the quorum quantity being less than a quantity of shards in the bundle; encrypt the set of data shards using an encryption key to produce an encrypted set of data shards; process the encryption key so as to generate a set of encryption key shards, the set of encryption key shards having a size equal to a size of the set of data shards, a quorum quantity of the set of encryption key shards being: less than the quorum quantity of the bundle of bundle-encoded shards; and sufficient to regenerate the encryption key; distribute the encrypted set of data shards and some of the set of encryption key shards among a first set of volumes of the plurality of volumes, the first set of volumes being located in the home region; store the set of derived shards among a second set of volumes of the plurality of volumes, the second set of volumes located outside of the home region; and track shard storage in the second set of volumes so as to prevent a total number of shards of the set of derived shards from being stored among the second set of volumes such that a number of shards that is stored outside of the home region is insufficient to recreate the data.
 14. The non-transitory computer-readable storage medium of claim 13, wherein the executable instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to generate the bundle of bundle-encoded shards as a subset of a grid of shards.
 15. The non-transitory computer-readable storage medium of claim 14, wherein the set of derived shards are vertically derived.
 16. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to store at least some of the set of derived shards within the home region.
 17. The non-transitory computer-readable storage medium of claim 13, wherein the encryption key is a plain-text encryption key provided by a key management service.
 18. The non-transitory computer-readable storage medium of claim 13, wherein the redundancy code includes a linear erasure code.
 19. The non-transitory computer-readable storage medium of claim 18, wherein the linear erasure code is Reed-Solomon.
 20. The non-transitory computer-readable storage medium of claim 13, wherein the set of derived shards are generated using the encrypted set of data shards. 